Controls

All plans

Permissions, roles, and access controls finance teams can actually trust.

Role-based permissions. Per-entity access. Dual-Control Mode on every plan. Workplace Associate restricted portal. SAML SSO with domain enforcement on Enterprise. 2FA. Audit trail on every change.

Request access See pricing

Roles

01

Roles that map to how finance teams really work.

Owner, admin, accountant, controller, viewer, and the Workplace Associate role for restricted portal users. Each role carries a permission set you can customize. Per-user entity grants layer on top; users see only the entities they're granted, in every report and search result.

  • Owner, admin, accountant, controller, viewer roles.
  • Workplace Associate role: restricted portal for PO submitters and vendor-mapped bill approvers.
  • Per-user entity grants.
  • Per-role permission customization.

Dual-Control Mode

02

Drafter and approver, separated.

Available on every plan. The user preparing a journal entry, bill, invoice, or settings change cannot be the same user who posts or applies it. Configurable approval chains and routing rules. Separation of duties enforced, not optional.

  • Drafter and approver enforced as different users.
  • Configurable approval chains.
  • Separation of duties at the action level.
  • Per-record audit trail with provenance.

SSO and 2FA

03

SAML SSO and two-factor authentication.

SAML SSO with domain verification and just-in-time user provisioning on Growth (1 connection) and Enterprise (unlimited connections + enforcement). Two-factor authentication is available on every plan and can be required for users in privileged roles.

  • SAML SSO: 1 connection on Growth, unlimited + enforcement on Enterprise.
  • Two-factor authentication on every plan.
  • Domain verification and just-in-time provisioning.
  • Session timeout configurable per workspace.

Audit trail

04

Every action recorded.

Immutable audit log of every user action against every record, capturing who changed what, what the prior value was, when the change was applied, and which IP and session. Exportable for audit support.

Want a closer look?

See permissions & roles in a guided demo.

Walk through the workflow with our team. We'll show how it fits your books and answer questions on plan fit, migration, and rollout.

Request a demo See pricing

Questions

About permissions & roles.

Is Dual-Control Mode an Enterprise feature?

No. Dual-Control Mode is available on every plan, including Essentials.

What is the Workplace Associate role for?

A restricted portal role for PO submitters and vendor-mapped bill approvers; they see only their own work and the bills assigned to them, never the full accounting app.

When does SAML SSO become available?

Growth includes 1 SSO connection. Enterprise unlocks unlimited SSO connections and SSO enforcement (users must sign in via SSO).

Related

Other capabilities to look at.

Back to Product →

Controls

Close & controls

A five-stage close checklist, row-level period locking, Dual-Control Mode on every plan, configurable approval workflows, audit log, and AI-explained outlier detection.

Read more

AI Accountant

AI Accountant

Ask in plain English, get answers grounded in posted GL. Drafts JEs, bills, invoices, IC entries, and setup changes. Human approval and full audit attribution on every action.

Read more

Scale

Multi-entity consolidation

Multiple entities under one company. One-click consolidated financials, entity-level permissions and currencies, and a consolidated trial balance that ties to source records.

Read more

Ready to put permissions & roles to work?

Start a free account in minutes, see the plan that fits, or book a guided demo with our team.

Request access See pricingRequest a demo
Back to Product